LOGIN_RADIUS(8) OpenBSD System Manager's Manual LOGIN_RADIUS(8) NAME login_radius - contact radiusd for authentication SYNOPSIS login_radius [-s service] [-v name=value] user [class] DESCRIPTION The login_radius utility contacts the radiusd daemon to authenticate a user. If no class is specified, the login class will be obtained from the password database. When executed as the name login_style, login_radius will request radiusd use the authentication specified by style. Available options are: -s Specify the service. Currently only challenge, login, and response are supported. -v This option and its value are ignored. The login_radius utility needs to know a shared secret for each radius server it talks to. Shared secrets are stored in the file /etc/raddb/servers with the format: server shared_secret It is expected that rather than requesting the radius style directly (in which case the radiusd server uses a default style) that login_radius will be linked to the various mechanisms desired. For instance, to have all CRYPTOCard and ActivCard authentication take place on a remote server via the radius protocol, remove the login_activ and login_crypto modules and link login_radius to both of those names. Now when the user requests one of those authentication styles, login_radius will automatically for- ward the request to the remote radiusd and request it do the requested style of authentication. LOGIN.CONF VARIABLES The login_radius utility uses the following radius-specific /etc/login.conf variables: radius-server Hostname of the radius server to contact. radius-server-alt Alternate radius server to use when the primary is not responding. radius-challenge-styles Comma-separated list of authentication styles that the radius server knows about. If the us- er's authentication style is in this list the challenge will be provided by the radius server. If not, login_radius will prompt the user for the password before sending the request (along with the password) to the radius server. radius-timeout Number of seconds to wait for a response from the radius server. Defaults to 2 seconds. radius-retries Number of times to attempt to contact the radius server before giving up (or falling back to the alternate server if there is one). Defaults to 6 tries. FILES /etc/login.conf login configuration database /etc/raddb/servers list of radius servers and their associated shared secrets SEE ALSO login(1), login.conf(5) CAVEATS OpenBSD does not ship with a radius server in the default install, howev- er several are available via packages(7). For login_radius to function, the /etc/raddb directory must be owned by group ``_radius'' and have group-execute permissions. Likewise, the /etc/raddb/servers file must be readable by group ``_radius''. OpenBSD 3.4 August 23, 1996 2